-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2008-012
=================================
Topic: Denial of service issues in racoon(8)
Version: NetBSD-current: affected
NetBSD 4.0: affected
NetBSD 3.1.*: not affected
NetBSD 3.1: not affected
NetBSD 3.0.*: not affected
NetBSD 3.0: not affected
Severity: Denial of service
Fixed: NetBSD-current: August 12, 2008
NetBSD-4-0 branch: August 18, 2008
(4.0.1 will include the fix)
NetBSD-4 branch: August 18, 2008
(4.1 will include the fix)
pkgsrc: ipsec-tools-0.7.1 corrects the issue
Abstract
========
Currently racoon(8) does not remove orphaned invalid connections initiated
by a remote peer. As a result of this a potential denial of service issue
can occur.
This vulnerability has been assigned CVE-2008-3652.
Technical Details
=================
When racoon(8) receives an invalid packet from a peer, it keeps the ph1handle
and expects the peer to resend a valid packet. If the peers invalid packet
is the first exchange (typically an SA exchange with no valid proposal),
the freshly created ph1handle will never be be removed, which is in fact
a memory leak.
A legitimate peer with invalid configuration, or an attacker, which will
send SA exchanges with no valid proposal can create a Denial of
Service if it can generate enough ph1handles (racoon will slow down
every time it will search for a ph1handle, then may run out of
memory).
Solutions and Workarounds
=========================
Only kernels compiled with the following option are vulnerable to this issue:
options IPSEC
As a temporary workaround recompile the kernel with the above option
commented out. The default NetBSD GENERIC kernels do not have this
option enabled. In addition to this the system must be running the
racoon(8) daemon which is not enabled by default.
An additional workaround can be to add filtering rules to ensure only
legitimate peers can send IKE exchanges (port 500/udp).
The following instructions describe how to upgrade your ipsec-tools
binaries by updating your source tree and rebuilding and installing
a new version of ipsec-tools.
* NetBSD-current:
Systems running NetBSD-current dated from before 2008-08-12
should be upgraded to NetBSD-current dated 2008-08-13 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/dist/ipsec-tools/src/racoon/isakmp.c
To update from CVS, re-build, and re-install ipsec-tools:
# cd src
# cvs update crypto/dist/ipsec-tools/src/racoon/isakmp.c
# cd usr.sbin/racoon
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2008-08-18 should be upgraded from NetBSD 4.* sources dated
2008-08-19 or later.
The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
crypto/dist/ipsec-tools
To update from CVS, re-build, and re-install ipsec-tools:
# cd src
# cvs update -r -d -P crypto/dist/ipsec-tools
# cd lib/libipsec
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../sbin/setkey
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../usr.sbin/racoon
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Yvan Vanhullebus for the patches and technical feedback on the issue.
Revision History
================
2008-09-15 Initial release
2008-09-15 Clarify abstract and add Thanks To section
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-012.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2008-012.txt,v 1.2 2008/09/15 22:18:43 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQCVAwUBSM7fWz5Ru2/4N2IFAQJoNAQAhfuWhUna+YRVm2cbNJk8tt++zsrs4qmY
Zdbku7Q9E65qJj78uH2C9gOg4+19GS/D1wrtLPeuwzuXHN1RZ10N3jkpRLQllk9k
+nmi83pzlHQ7yjmknlRP7Mt0chHN1qAy4fqTaIYyNqnuDiznrTkNiO5wawXRWWK7
QWZlP9bbJHY=
=4TDJ
-----END PGP SIGNATURE-----